Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Amazon ECS Service Placement Strategy

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ECS-003

Ensure that your Amazon Elastic Container Service (ECS) cluster services are using the best placement strategies in order to optimize tasks for reliability and cost efficiency. A placement strategy is an algorithm for selecting EC2 instances for task placement or tasks for termination. The recommended task placement strategies for your Amazon ECS services are "Spread" and "Binpack". The "Spread" placement strategy will ensure that your tasks are placed evenly based on the specified value, providing redundancy within the ECS service and thus better reliability. The "Binpack" strategy places tasks on container instances so as to leave the least amount of unused memory or CPU (but still able to run the tasks). This strategy minimizes the number of Amazon ECS container instances in use, resulting in cost efficiency.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability
Cost
optimisation

When a task that uses the EC2 launch type is executed, Amazon ECS must determine where to place that task based on the requirements specified in the task definition, such as CPU and memory. Similarly, when you scale down the task count, Amazon ECS must determine which tasks to terminate. To customize how Amazon ECS service places and terminates tasks for improved reliability and cost efficiency, apply the recommended task placement strategies.

Audit

To determine the task placement strategy defined for your Amazon ECS cluster service(s), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to examine to access all the resources available on the selected cluster.

05 Select the Services tab and choose EC2 from the Launch type dropdown menu to list only the ECS cluster services that are using Amazon EC2 instances.

06 Click on the name of the cluster service that you want to examine.

07 Select the Deployments tab and check the Strategy attribute value listed in the Task Placement section to determine the task placement strategy type configured for the selected service. If the Strategy attribute value does not include the spread or binpack keyword, e.g. spread(instanceId) and/or spread(attribute:ecs.availability-zone) or binpack(MEMORY), the task placement strategy defined for the selected Amazon ECS cluster service is not compliant.

08 Repeat step no. 6 and 7 to determine the task placement strategy configured for each service running in the selected Amazon ECS cluster.

09 Repeat steps no. 4 – 8 for each Amazon ECS cluster provisioned within the current region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all Amazon ECS clusters available in the selected region: 

aws ecs list-clusters
	--region us-east-1
	--output table
	--query 'clusterArns'

02 The command output should return a table with the requested ECS cluster ARNs: 

----------------------------------------------------------------------
|                           ListClusters                             |
+--------------------------------------------------------------------+
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-production-cluster  |
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster    |
+--------------------------------------------------------------------+

03 Run list-services command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster that you want to examine as identifier parameter and custom query filters to list the services that are running within the selected cluster: 

aws ecs list-services
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-production-cluster
	--query 'serviceArns'

04 The command output should return an array with the requested cluster service ARNs: 

[
	"arn:aws:ecs:us-east-1:123456789012:service/cc-production-cluster/cc-main-task-service",
	"arn:aws:ecs:us-east-1:123456789012:service/cc-production-cluster/cc-subs-task-service"
]

05 Run describe-services command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster service that you want to examine as identifier parameter and custom query filters to describe the task placement strategy type configured for the selected cluster service: 

aws ecs describe-services
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-production-cluster
	--service arn:aws:ecs:us-east-1:123456789012:service/cc-production-cluster/cc-main-task-service
	--query 'services[*].placementStrategy[].type'

06 The command output should return the type of the configured task placement strategy: 

[
    "random"
]

If the task placement strategy type returned by describe-services command output is not "spread" and/or "binpack", the task placement strategy defined for the selected Amazon ECS cluster service is not compliant.

07 Repeat step no. 5 and 6 to determine the task placement strategy configured for each service running in the selected Amazon ECS cluster.

08 Repeat steps no. 3 – 7 for each Amazon ECS cluster deployed in the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To configure the compliant (optimal) task placement strategy for your Amazon ECS cluster services, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to reconfigure to access all the resources available on the selected cluster.

05 Select the Services tab and choose EC2 from the Launch type dropdown menu to list only the ECS cluster services that are using Amazon EC2 instances.

06 Click on the name of the cluster service that you want to reconfigure.

07 On the selected cluster service page, choose Update to modify the service parameters.

08 On the Update Service page, perform the following:

  1. In the Task Placement section, select one of the task placement strategy templates from the Placement Templates dropdown list:
    • AZ Balanced Spread (i.e. spread(attribute:ecs.availability-zone), spread(instanceId)) – this template will spread tasks across Availability Zones and within the Availability Zone spread tasks across instances.
    • AZ Balanced BinPack (i.e. spread(attribute:ecs.availability-zone), binpack(MEMORY)) – this template will spread tasks across Availability Zones and within the Availability Zone, and bin pack on the least number of instances by memory.
    • BinPack (i.e. binpack(MEMORY)) – this template will bin pack tasks by the least number of instances by memory.
    • Custom – to customize how tasks are placed by creating custom task placement strategies using Spread and/or BinPack task placement strategy types.
  2. Select Force new deployment setting checkbox to redeploy your service tasks.
  3. Click Skip to review, then choose Update Service to update the selected Amazon ECS cluster service. Your service tasks are now redeployed using the task placement strategy that you configured at the previous steps.

09 Repeat step no. 6 – 8 to configure the task placement strategy for other services running in the selected Amazon ECS cluster.

10 Repeat steps no. 4 – 9 for each Amazon ECS cluster available within the current region.

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-service command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster service that you want to reconfigure as identifier parameter, to update the task placement strategy for the selected cluster service. Include --force-new-deployment command parameter to redeploy your service tasks using the specified task placement strategy. Some of the compliant task placement strategies that you can use for your Amazon ECS cluster service are:

  1. --placement-strategy type="spread",field="attribute:ecs.availability-zone" – this strategy distributes tasks evenly across Availability Zones.
  2. --placement-strategy type="spread",field="instanceId" – this strategy distributes tasks evenly across all instances.
  3. --placement-strategy type="binpack",field="memory" – this strategy bin packs tasks based on memory.
  4. --placement-strategy type="binpack",field="CPU" – this strategy bin packs tasks based on CPU.
  5. --placement-strategy type="spread",field="attribute:ecs.availability-zone" type="spread",field="instanceId" – this strategy distributes tasks evenly across Availability Zones and then distributes tasks evenly across the instances within each Availability Zone.
  6. --placement-strategy type="spread",field="attribute:ecs.availability-zone" type="binpack",field="memory" - this strategy distributes tasks evenly across Availability Zones and then bin packs tasks based on memory within each Availability Zone.

The following command example configures the specified Amazon ECS cluster service to use a task placement strategy that distributes tasks evenly across all instances: 
aws ecs update-service
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-production-cluster
	--service arn:aws:ecs:us-east-1:123456789012:service/cc-production-cluster/cc-main-task-service
	--force-new-deployment
	--placement-strategy type="spread",field="instanceId"
	--query 'service.placementStrategy[]'

02 The command output should return the newly implemented task placement strategy: 

[
    {
        "field": "instanceId",
        "type": "spread"
    }
]

03 Repeat step no. 1 and 2 to configure the task placement strategy for other services running within the selected Amazon ECS cluster.

04 Repeat steps no. 1 – 3 for each Amazon ECS cluster provisioned in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 14, 2020

Related ECS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Amazon ECS Service Placement Strategy

Risk Level: Medium